-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This post cannot be validated with Frog's signature. I am signing it with my bluejay pgp sig ============== From: Frog-Admin (Use-Author-Address-Header@[127.1]) Subject: Re: Remailer abuser caught: Newsgroups: alt.privacy.anon-server Date: 2000/02/07 - -----BEGIN PGP SIGNED MESSAGE----- On 7 Feb 2000, RProcess wrote: |On 7 Feb 2000, Frog-Admin wrote in alt.privacy.anon-server: |> I caught an abuser (trivial traffic analysis): |> |> Azerty received 100 * messages 160 K initially |> giving 100 * identical messages 60 K on arrival with 14*gif (batman) |> each. |> In-between, transparent-remix generated a few hundreds messages |> each hop |On the latter thought, I remember you mentioning that you have |modified Reliable to perform some logging (which you apparently used |to trace this message through three remailers, two of which you run), |and I think it would be helpful and correct if you detailed these |changes for your |users. I think your users should be informed of such modifications as |it is their security you are silently jeopardizing. I also think that |your not immediately making it clear from the outset that you ran both |Azerty and Frog was at the very least a serious error of judgement. I always planned to make those modifications public, both on JBN and Reliable. There is even a page at my WWW which lists them, (since December) and links are ready to the actual code of the modification. And there are all "cosmetic" modifications. But you know why I ran out of time. About the "Load Graphs" and, as I state in the "internal data" page, *no* @ are collected in the process, *only* date-time-size and of course collection of MAILIN and MAILOUT information are unrelated processes. "Logging" would be a X-reference between the @ in MAILIN and MAILOUT, and that is an absolute NO-NO to me The technique I used was pure *traffic analysis*, and could have been performed by *anybody* snooping on my incoming/outcoming mail *trivial* correlation between 100*160Kb messages incoming to Azerty (with sender-abuser name-@ in clear) 100*60Kb messages outcoming from Frog (With vengeful title, silly content, recipient-abused name-@ in clear) I performed it when I took a glance at the computer and my MailBox had reached an alarming size of 16 Mb while the abuse was lasting with 40 messages still clogged in MAILIN 20 having already gone through MAILOUT There is nothing I could have done after the 100th was gone through MAILIN. Normally, the *only* mail I read is the headers of posts in error using NNTP which get into "error" because the NG is unsupported I manually add "alt.test" to permit processing and I do not even recall the "exotic" NG which were asked for the headers of MAILOUT in error which get into "error" because of misconfigured @: extra "," extra odd characters the body of PGP-encrypted MAILIN in error mainly PGP 6.2 messages sent mith Agent and with a wrong line-wrapping the "comment" line spreads on two lines and message will not decode Sure I was wrong not to say Azerty was run by me too. It was somehow obvious from the beginning (same features, same looks, same IP...) and I was a bit surprised by the instant popularity of it. It was meant to be purely experimental (testing of a MTA under load), and I made it public in NG and stats when I thought it became an issue ie some days ago, after the deaths of LefArris, Nowhere, Foebud |In cases of *carefully verified* abuse, I think the proper procedure |is to attempt to contact the sender, giving him or her the chance to |defend or explain the apparent abuse, and modify their behavior. |Failing that notify the sender's ISP. I consider it very bad form to |publish mail to newsgroups and even the remops list (which is public). |This plays into the hands of abusers and undermines the integrity of |the remailer system, which depends on operators NOT sharing |information. Frog had received DOS threats the day before in a fr. NG. And 16 Mb is clearly a risk of flood for a remailer. (Frog or Azerty would certainly have lost mail 15 days ago, they did bot on that occasion) I wanted to make it clear that I will fight back anybody attacking the remailer, with *all* weapons at hand. (and *yes* there is a "political" page in the works, stating why I run a remailer why I do not censor on content why I do not create or keep logs what I will do if asked to surrender keys what I will not tolerate and which actions I would take) WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW Frog Remailer WWW Page: index http://www.multimania.com/frogadmin/ Main with stats http://www.multimania.com/frogadmin/Main.html Internal Data http://www.multimania.com/frogadmin/Sta_.shtml All Remailer's Page http://www.multimania.com/frogadmin/Remailers.shtml Comments on Keyrings & Capability-string Update http://www.multimania.com/frogadmin/Keys/Remailer-Comment.html Browse into Frog Remailer Load Graphs http://www.multimania.com/frogadmin/Graphs/Browse.html DownLoads http://www.multimania.com/frogadmin/MyDownLoad.html Thesaurus http://www.multimania.com/frogadmin/Thesaurus/Thesaurus.html - -----BEGIN PGP SIGNATURE----- Version: N/A iQEVAwUBOJ7JlIDgT488d3zFAQHj4QgA2+pdLZcaPmDaPrfHD9bqscAGorGaby7g slc9OIG+i/mU8EiuoZWwwQgpvUCneLHHD8Dv4tpOCNR50BpQxcmbUsy+cWXVBi68 HH+tcaHKfTgbHB/TkI9FyGkZWbWbCCLB5Ebw4auv4irQsevn/DhQ2WjE1DTl0wAG rDZ+yq1b8pnqnlBmCBLlzEzmjhnL3iSPK7sKZ9sook7KLuV7KxzXA+0UBTxSkoXp nXPZGi9QhOUsiCZONUCiCkRj9w+Bc3Wn70FIQ3UI1YIQ5X6po6rHCSIrapkIXrrF 6/vMsM6GE/6J/kYlkHlPIwGE8xuEJ01Mb53zK4HJUqKJENL7iGVQmQ== =fDA9 - -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBPwl2rL0qIgPfZwtYEQJiswCfc8zn+eKn7TYN5FYrvgkV2+Mu91AAoL8Q oiHuj1MJqm7Hw2bGViG7/WE5 =NTk0 -----END PGP SIGNATURE-----